A new report from cybersecurity firm MITIGA has revealed that malicious actors can exploit a lack of forensic visibility in Google Cloud Platform (GCP) to exfiltrate sensitive data.
The research found that GCP does not provide sufficient visibility into its storage logs to enable effective forensic investigation, meaning organisations may be unaware of potential data exfiltration attacks.
The attack requires the adversary to gain control of an Identity and** Access Management **(IAM) entity in the targeted organisation.
GCP storage access logs do not provide visibility into potential file access and read events, making it difficult to differentiate between malicious and legitimate user activity.
Mitiga’s report includes mitigation recommendations from Google, such as using Virtual Private Cloud (VPC) service controls and organisation restriction headers to restrict cloud resource requests:
VPC Service Controls - with the use of VPC Service Controls administrators can define a service perimeter around resources of Google-managed services to control communication to and between those services
Organization restriction headers - organization restriction headers enable customers to restrict cloud resource requests made from their environments to only operate resources owned by select organizations. This is enforced by egress proxy configurations, firewall rules ensuring that the outbound traffic passes through the egress proxy, and HTTP headers.
In case neither VPC Service Controls nor Organization restriction headers are enabled we suggest searching for the following anomalies:a. Anomalies in the times of the Get/List events.b. Anomalies in the IAM entity performing the Get/List events.c. Anomalies in the IP address the Get/List requests originate from.d. Anomalies in the volume of Get/List events within brief time periods originating from a single entity.
Restrict access to storage resources and consider removing read/transfer permissions.